Tencent-Cloud 1007 36568 en

SSL Certificate Service
Certificate Installation
Product Documentation
©2013-2022 Tencent Cloud. All rights reserved. Page 1 of 59

Copyright Notice
©2013-2023 Tencent Cloud. All rights reserved.
Copyright in this document is exclusively owned by Tencent Cloud. You must not reproduce, modify, copy or distribute
in any way, in whole or in part, the contents of this document without Tencent Cloud's the prior written consent.
Trademark Notice
All trademarks associated with Tencent Cloud and its services are owned by Tencent Cloud Computing (Beijing)
Company Limited and its affiliated companies. Trademarks of third parties referred to in this document are owned by
their respective proprietors.
Service Statement
This document is intended to provide users with general information about Tencent Cloud's products and services
only and does not form part of Tencent Cloud's terms and conditions. Tencent Cloud's products or services are
subject to change. Specific products and services and the standards applicable to them are exclusively provided for in
Tencent Cloud's applicable terms and conditions.

Contents
Selecting an Installation Type for an SSL Certificate
Installation of International Standard Certificates
Installing an SSL Certificate on an Nginx Server
（
Installing an SSL Certificate on an Apache Server Linux ）
Installing an SSL Certificate on an Apache Server (Windows)
Installing an SSL Certificate (JKS Format) on a Tomcat Server
Installing an SSL Certificate (PFX Format) on a Tomcat Server
Installing an SSL Certificate on a GlassFish Server
Installing an SSL Certificate on a JBoss Server
Installing an SSL Certificate on a Jetty Server
Installing a Certificate on IIS Servers
Installing a Certificate on WebLogic Servers

Selecting an Installation Type for an SSL
Certificate
：
Last updated 2021-07-07 14:42:22
Manually Installing a Certificate

You can choose an appropriate method to install a certificate based on the encryption standard of your certificate and
your server type.
Note ：
Currently, 8 methods are available for installing a certificate.
SSL Certificate Type Server OS Certificate Installation Method
Installing a Certificate on Apache Servers
Installing a Certificate on an Nginx Server
Installing a Certificate on a Tomcat Server

Linux
Installing a Certificate on GlassFish Servers
International standard certificate (RSA/ECC)
Installing a Certificate on JBoss Servers
Installing a Certificate on Jetty Servers

Windows
Using the Certificate Installation Service Provided by Tencent Cloud

Marketplace

Manual installation methods described above are for mainstream servers. For server types that are not listed, you can
use Tencent Cloud’s certificate installation service.

Installation of International Standard

Certificates
Installing an SSL Certificate on an Nginx
Server
：
Last updated 2022-09-14 17:38:20
Overview
This document describes how to install an SSL certificate on an Nginx server.
Note ：
The certificate name cloud.tencent.com is used as an example.
The Nginx version nginx/1.18.0 is used as an example.
The current server OS is CentOS 7. Detailed steps vary slightly with the OS.
Before you install an SSL certificate, enable the default HTTPS port 443 on the Nginx server so that HTTPS
can be enabled after the certificate is installed. For more information, see How Do I Enable Port 443 for a
VM?.
For more information about how to upload SSL certificate files to a server, see Copying Local Files to CVMs.
Preparations
Install the remote file copy tool such as WinSCP. The latest official version is recommended.
Install the remote login tool such as PuTTY or Xshell. The latest official version is recommended.
Install the Nginx service containing http_ssl_module module in the current server.
The data required to install the SSL certificate includes the following:
Item Description
Server IP address IP address of the server, which is used to connect the PC to the server.
Username The username used to log in to the server.
Password The password used to log in to the server.

Note ：
For a CVM instance purchased on Tencent Cloud, you can log in to the CVM console to get the server IP
address, username, and password.
Directions
Installing the certificate
1. Log in to the SSL Certificate Service console, and click Download for the certificate you need to install.
2. In the pop-up window, select Nginx for the server type, click Download, and decompress the
cloud.tencent.com certificate file package to the local directory.
After decompression, you can get the certificate file of the corresponding type, which includes the
cloud.tencent.com_nginx folder.
Folder: cloud.tencent.com_nginx
Files in the folder:
cloud.tencent.com_bundle.crt : Certificate file
cloud.tencent.com_bundle.pem : Certificate file (optional)
cloud.tencent.com.key : Private key file
cloud.tencent.com.csr : CSR file
Note ：
The CSR file is uploaded by you or generated online by the system and is provided to the certificate
authority (CA) when you apply for the certificate. It is not relevant to installation.
3. Log in to the Nginx server using WinSCP (a tool copying files between a local computer and a remote computer).
4. Copy the cloud.tencent.com_bundle.crt and cloud.tencent.com.key files from the local

directory to the /usr/local/nginx/conf directory of the Nginx server (this is the default installation directory
on the Nginx server and can be adjusted as needed).
5. Log in to the Nginx server remotely with such a login tool as PuTTY.

6. Modify the conf/nginx.conf configuration file in the Nginx root directory as follows:
Note：
If you cannot find the following content, add it manually.
In this operation, you can edit the file by running vim /usr/local/nginx/conf/nginx.conf .
You may need to set the configuration file differently based on the Nginx version. For example, use
listen 443 ssl instead of listen 443 or ssl on for the version nginx/1.15.0 or
later.
server {
# The default SSL access port is 443
listen 443 ssl;
# Enter the domain name bound to the certificate
server_name cloud.tencent.com;
# Enter the relative or absolute path of the certificate file
ssl_certificate cloud.tencent.com_bundle.crt;
# Enter the relative or absolute path of the private key file
ssl_certificate_key cloud.tencent.com.key;
ssl_session_timeout 5m;
# Configure the following protocols
ssl_protocols TLSv1.2 TLSv1.3;
# Configure the cipher suite according to the OpenSSL standard
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
ssl_prefer_server_ciphers on;
location / {
# Path to the website homepage. This example is for reference only. You need to
set it to the actual path.
# For example, if your website homepage is under the "/etc/www" path of the Ngi
nx server, change the "html" behind "root" to "/etc/www".
root html;
index index.html index.htm;
}
}
7. Run the following command in the Nginx root directory to check whether there is a problem with the configuration
file.
./sbin/nginx -t
If yes, reconfigure or fix the problem as prompted.

Otherwise, proceed to step 8.
8. Run the following command in the Nginx root directory to restart Nginx.
./sbin/nginx -s reload
9. If the server is restarted successfully, you can access it through https://cloud.tencent.com .
(Optional) Security configuration for automatic redirect from HTTP to HTTPS
To redirect HTTP requests to HTTPS, complete the following settings:
1. Select one of the following configuration methods based on your actual needs:
Add a JavaScript script to the page.

Add redirect in the backend program.
Redirect through a web server.
Nginx supports rewrite. If you did not remove PCRE during the compilation, you can add return 301
https://$host$request_uri; to the HTTP server to redirect requests made to the default HTTP port 80
to HTTPS.
Note：
Uncommented configuration statements can be configured as shown below.
You may need to configure the configuration file differently based on the Nginx version. For example,
use listen 443 ssl instead of listen 443 or ssl on for the version
nginx/1.15.0 or later.
server {
# The default SSL access port is 443
listen 443 ssl;
# Enter the relative or absolute path of the certificate file
ssl_certificate cloud.tencent.com_bundle.crt;
# Enter the relative or absolute path of the private key file
ssl_certificate_key cloud.tencent.com.key;
ssl_session_timeout 5m;
# Configure the cipher suite according to the OpenSSL standard
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD

5:!ADH:!RC4;
# Configure the following protocols
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
location / {
# Path to the website homepage. This example is for reference only. You need
to set it to the actual path.
# For example, if your website homepage is under the "/etc/www" path of the N
ginx server, change the "html" behind "root" to "/etc/www".
root html;
index index.html index.htm;
}
}
server {
listen 80;
# Redirect requests made to an HTTP domain name to HTTPS
return 301 https://$host$request_uri;
}
2. Run the following command in the Nginx root directory to check whether there is a problem with the configuration
file.
./sbin/nginx -t

3. Run the following command in the Nginx root directory to restart Nginx.
./sbin/nginx -s reload
4. If the server is restarted successfully, you can access it through https://cloud.tencent.com .
Note ：
If you experience any issues with the above steps, contact us.

Installing an SSL Certificate on an Apache

Server Linux （）
：
Last updated 2022-10-17 12:35:23
Overview
This document describes how to install an SSL certificate on an Apache server.
Note ：
The Apache/2.4.6 version is used as an example. The default port is 80 . You can download it from
the Apache official website. If you need to use another version, please contact us.
Before you install an SSL certificate, enable port 443 on the Apache server so that HTTPS can be enabled
after the certificate is installed. For more information, see How Do I Enable Port 443 for a VM?
For more information about how to upload SSL certificate files to a server, please see Copying Local Files to
CVMs.
Prerequisites
A remote file copy tool such as WinSCP has been installed. Please download the latest version from the official
website.
A remote login tool such as PuTTY or Xshell has been installed. Please download the latest version from the official
website.
The Apache service has been installed and configured on the current server.
Name Remarks

Note ：
Directions
2. In the pop-up window, select Apache for the server type, click Download, and decompress the
cloud.tencent.com_apache folder.
Folder: cloud.tencent.com_apache
root_bundle.crt : certificate file
cloud.tencent.com.crt : certificate file
cloud.tencent.com.key : private key file
CSR file: cloud.tencent.com.csr
Note ：
The CSR file is uploaded by you or generated online by the system and is provided to the certificate authority
(CA) when you apply for the certificate. It is not relevant to installation.
3. Log in to the Apache server using WinSCP (a tool copying files between a local computer and a remote computer).
4. Copy the obtained certificate files root_bundle.crt and cloud.tencent.com.crt and the private key
file cloud.tencent.com.key from the local directory to the /etc/httpd/ssl directory of the Apache
server.
Note ：
If the /etc/httpd/ssl directory does not exist, run mkdir /etc/httpd/ssl in the command line
to create it.

5. Log in to the Apache server remotely by using a login tool such as PuTTY.
Note：
For a newly installed Apache server, the conf.d , conf , and conf.modules.d directories are
under the /etc/httpd directory by default.
6. In the httpd.conf configuration file under /etc/httpd/conf , find the Include

conf.modules.d/*.conf configuration statement (for loading the SSL configuration directory) and check
whether it is commented out. If so, remove the comment symbol ( # ) from the first line and save the configuration
file.
7. In the 00-ssl.conf configuration file under /etc/httpd/conf.modules.d , find the LoadModule

ssl_module modules/mod_ssl.so configuration statement (for loading the SSL module) and check whether
it is commented out. If so, remove the comment symbol ( # ) from the first line and save the configuration file.
Note：
The directory structure varies by OS version. Please find files in accordance with the actual OS version.
If they cannot be found in the files above, check whether the mod_ssl.so module has been installed. If no,
run the yum install mod_ssl command to install it.
8. Edit the ssl.conf configuration file in the /etc/httpd/conf.d directory by modifying the following:
<VirtualHost 0.0.0.0:443>
DocumentRoot "/var/www/html"
# Enter the certificate name
ServerName cloud.tencent.com
# Enable SSL
SSLEngine on
# Path of the certificate file
SSLCertificateFile /etc/httpd/ssl/cloud.tencent.com.crt
# Path of the private key file
SSLCertificateKeyFile /etc/httpd/ssl/cloud.tencent.com.key
# Path of the certificate chain file
SSLCertificateChainFile /etc/httpd/ssl/root_bundle.crt
</VirtualHost>

9. Restart the Apache server and then you can access it through https://cloud.tencent.com .
(Optional) security configuration for automatic redirect from HTTP to HTTPS
You can redirect HTTP requests to HTTPS by configuring the following settings:
1. Edit the httpd.conf configuration file in the /etc/httpd/conf directory.
Note ：
The directory structure varies by Apache version. For more information, see Apache Module
mod_rewrite.
httpd.conf is located in more than one directory. You can filter them by /etc/httpd/* .
2. Check whether LoadModule rewrite_module modules/mod_rewrite.so is in it.
If yes, remove the comment symbol ( # ) in front of LoadModule rewrite_module

modules/mod_rewrite.so and proceed to step 4.
3. Create a new *.conf file such as 00-rewrite.conf in /etc/httpd/conf.modules.d and add the following to it:
LoadModule rewrite_module modules/mod_rewrite.so
4. Add the following to the httpd.conf configuration file:
<Directory "/var/www/html">
# Add the following:
RewriteEngine on
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^(.*)?$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R]
</Directory>
4. Restart the Apache server and then you can access it through http://cloud.tencent.com .
Note ：
If you experience any issues with the above steps, please contact us.

Installing an SSL Certificate on an Apache

Server (Windows)
：
Last updated 2022-09-14 17:41:10
Overview
This document describes how to install an SSL certificate on an Apache server.
Note ：
Apache version: Apache/2.4.53. The default port is 80 . You can download it here. If you need a different
version, contact us.
The current server OS is Windows Server 2012 R2. Detailed steps vary slightly with the OS.
Before you install an SSL certificate, enable port 443 on the Apache server so that HTTPS can be enabled
Preparations
Install the Apache service on the current server.
Item Description
Note ：

Directions
Step 1. Upload the certificate file
2. In the pop-up window, select Apache for the server type, click Download, and decompress the
cloud.tencent.com_apache file.
root_bundle.crt : certificate file
cloud.tencent.com.csr : CSR file
Note ：
3. Log in to the Apache server via the RDP port.
Note ：
For upload instructions, see Uploading Files from Linux to Windows CVM using RDP.
4. Copy the root_bundle.crt certificate file, cloud.tencent.com.crt certificate file, and

cloud.tencent.com.key private secret file from the local directory to the ssl.crt and ssl.key

folders under the \conf directory of the Apache server, respectively.
SSL Certificate File Folder
root_bundle.crt
ssl.crt
cloud.tencent.com.crt
cloud.tencent.com.key ssl.key
Step 2. Configure the file
1. Open the httpd.conf file in the conf directory of the Apache server with a text editor and delete the #
before the following fields.
#LoadModule ssl_module modules/mod_ssl.so

#Include conf/extra/httpd-ssl.conf
2. Open the httpd-ssl.conf file in the conf\extra directory of the Apache server with a text editor as
shown below:

3. Modify the httpd-ssl.conf file and set the following field parameters to the paths of the uploaded certificate
files as shown below:
SSLCertificateFile "C:/apache/conf/ssl.crt/cloud.tencent.com.crt"
SSLCertificateKeyFile "C:/apache/conf/ssl.key/cloud.tencent.com.key"
SSLCACertificateFile "C:/apache/conf/ssl.crt/root_bundle.crt"
4. Restart the Apache server and then you can access it through https://cloud.tencent.com .
1. Open the httpd.conf file in the conf directory of the Apache server with a text editor and delete the #
before the following fields.
#LoadModule rewrite_module modules/mod_rewrite.so
2. Configure the fields in the website running directory. For example, add the following content to the <directory
"c:="" xampp="" htdocs"=""> field:

<Directory "C:/xampp/htdocs">
RewriteEngine on
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^(.*)?$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R]
</Directory>
3. Restart the Apache server and then you can access it through both http://cloud.tencent.com (which will
be automatically redirected to https://cloud.tencent.com ) and https://cloud.tencent.com .

Installing an SSL Certificate (JKS Format) on

a Tomcat Server
：
Last updated 2023-02-14 15:27:01
Overview
This document describes how to install an SSL certificate (JKS format) on a Tomcat server.
Note ：
Tomcat 9.0.56 is used as an example.
The current server OS is Windows Server 2016 Chinese. Detailed steps vary slightly with the OS.
Before you install an SSL certificate, enable port 443 on the Tomcat server so that HTTPS can be enabled
after the certificate is installed. For more information, please see How Do I Enable Port 443 for a VM?
CVMs.
Prerequisites
The Tomcat service has been installed and configured on the server.
Item Description
Note ：
For a CVM instance purchased on the Tencent Cloud official website, log in to the CVM console to obtain the
server IP address, username, and password.

If you have selected the Paste CSR method when applying for the SSL certificate, or your certificate brand
is Wotrus, the option to download the JKS certificate file is not provided. Instead, you need to manually
convert the format to generate a keystore as follows:
Access the conversion tool.
Upload the certificate and private key files in the Nginx folder to the conversion tool, enter the keystore
password, click Submit, and convert the certificate to a .jks certificate.
Directions
2. In the pop-up window, select JKS for the server type, click Download, and decompress the
cloud.tencent.com_jks folder.
Folder: cloud.tencent.com_jks
cloud.tencent.com.jks : keystore file
keystorePass.txt : password file (if you have set a private key password, this file will not be generated)
3. Copy the keystore file cloud.tencent.com.jks to the conf directory of the Tomcat installation directory.
4. Edit the server.xml file in the conf directory by adding the following:
<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"

maxThreads="150" scheme="https" secure="true"
# Path of the certificate
keystoreFile="Tomcat installation directory/conf/cloud.tencent.com.jks"
# Keystore password
keystorePass="******"
clientAuth="false"/>
For details about the server.xml file, see below:

Note ：
To avoid format issues, you are not advised to copy the content of server.xml directly.
<?xml version="1.0" encoding="UTF-8"?>

<Server port="8005" shutdown="SHUTDOWN">
<Listener className="org.apache.catalina.startup.VersionLoggerListener" />
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="o
n" />
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"
/>
<Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener"
/>
<GlobalNamingResources>
<Resource name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="User database that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
pathname="conf/tomcat-users.xml" />
</GlobalNamingResources>
<Service name="Catalina">
<Connector port="80" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort=

"8443" />
<Connector port="443" protocol="HTTP/1.1"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false"
keystoreFile="Tomcat installation directory/conf/cloud.tencent.com.jks"
keystorePass="******" />
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
<Engine name="Catalina" defaultHost="cloud.tencent.com">
<Realm className="org.apache.catalina.realm.LockOutRealm">
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
</Realm>
<Host name="cloud.tencent.com" appBase="webapps"
unpackWARs="true" autoDeploy="true" >
<Context path="" docBase ="Knews" />
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="localhost_access_log" suffix=".txt"
pattern="%h %l %u %t "%r" %s %b" />
</Host>
</Engine>

</Service>
</Server>
The main parameters of the configuration file are described as below:
keystoreFile: location of the keystore file. You can specify an absolute path or a path relative to the
<CATALINA_HOME> (Tomcat installation directory) environment variable. If this parameter is not set, Tomcat
reads the file named ".keystore" from the user directory of the current OS user.
keystorePass: keystore password. If you set a private key password when applying for the certificate, enter the
private key password; otherwise, enter the password in the keystorePass.txt file in the Tomcat folder.
clientAuth: If it is set to true, Tomcat requires all SSL clients to provide a security certificate for identity verification.
5. Confirm whether the Tomcat server is started.
If the Tomcat server is already started, you need to run the following .bat scripts in sequence in the bin
directory of the Tomcat installation directory to shut down and restart it:
shutdown.bat (Shut down the Tomcat server)

startup.bat (Start the Tomcat server)
If the Tomcat server is not started, you need to run the following .bat script in the bin directory of the Tomcat
installation directory to start it:
startup.bat
6. If the server is started successfully, you can access it through ``https://www.tencentcloud.com/`.
If the browser address bar displays the security lock logo, it means that the certificate is installed successfully.
If the website access is abnormal, you can refer to the following solutions to common problems:
Website Inaccessible After an SSL Certificate is Deployed

“Your Connection is Not Secure” is Displayed After the SSL Certificate is Installed”
Why Does the Website Prompt “Connection Is Untrusted"?
404 Error After the SSL Certificate is Deployed on IIS

1. Edit the web.xml file in the conf directory of the Tomcat installation directory and find the
<\/welcome-file-list> tag.
2. Insert a new line after <\/welcome-file-list> and add the following:
<login-config>

<auth-method>CLIENT-CERT</auth-method>
<realm-name>Client Cert Users-only Area</realm-name>
</login-config>
<security-constraint>

<web-resource-collection>
<web-resource-name>SSL</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
3. Edit the server.xml file in the Tomcat installation directory by changing the redirectPort parameter to
the port of the SSL connector, i.e., port 443, as shown below:
<Connector port="80" protocol="HTTP/1.1"

connectionTimeout="20000"
redirectPort="443" />
Note ：
This change allows a non-SSL connector to redirect to an SSL connector.
4. Run the following .bat script in the /bin directory of the Tomcat installation directory to shut down the Tomcat
server:
shutdown.bat
5. Run the following command to confirm whether there is a problem with the configuration:

configtest.bat

If no, proceed to the next step.
6. Run the following .bat script to start the Tomcat server. In this way, you can access it through
https://www.tencentcloud.com/ .
startup.bat

Installing an SSL Certificate (PFX Format) on

a Tomcat Server
：
Last updated 2022-03-01 11:05:18
Overview
This document describes how to install an SSL certificate (PFX format) on a Tomcat server.
Note ：
The tomcat9.0.40 version is used as an example.
If you need to install an SSL certificate (JKS format) on a Tomcat server, see Installing an SSL Certificate
(JKS Format) on a Tomcat Server.
Before you install an SSL certificate, enable port 443 on the Tomcat server so that HTTPS can be enabled
after the certificate is installed. For more information, please see How Do I Enable Port 443 for a VM?
Prerequisites
website.
website.
The Tomcat service has been installed and configured on the server.
Item Description

Note ：
Currently, the Tomcat server is installed in the /usr directory. For example, if the Tomcat folder name is
tomcat9.0.40 , /usr/*/conf is actually /usr/tomcat9.0.40/conf .
Directions
2. In the pop-up window, select Tomcat for the server type, click Download, and decompress the
cloud.tencent.com_tomcat folder.
Folder: cloud.tencent.com_tomcat
cloud.tencent.com.pfx : certificate file
3. Log in to the Tomcat server using WinSCP (a tool copying files between a local computer and a remote computer).
4. Copy the obtained cloud.tencent.com.pfx certificate file from the local directory to the /usr/*/conf
directory.
5. Remotely log in to the Tomcat server using a login tool such as PuTTY.
6. Edit the server.xml file in the /usr/*/conf directory by using either of the following methods as needed:
Note ：
If you use method 1, Tomcat automatically selects an SSL implementation mode for you. If you are unable to
complete the subsequent configuration according to method 1, it may be because your environment does
not support the implementation mode. In that case, you can use method 2 to manually select an SSL
implementation mode based on your environment properties.
Method 1: automatically selecting an SSL implementation mode

Method 2: manually selecting an SSL implementation mode

Modify the value of the Connector attribute in the server.xml file to the following:
port="443"
protocol="HTTP/1.1"
SSLEnabled="true"
scheme="https"
secure="true"
keystoreFile="/usr/*/conf/cloud.tencent.com.pfx" # Path of the certificate file
keystoreType="PKCS12"
keystorePass="Certificate password" # Replace the value with the content in the
`keystorePass.txt` password file.
clientAuth="false"
SSLProtocol="TLSv1.1+TLSv1.2+TLSv1.3"
ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RS
A_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_1
28_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256"/>
The main parameters of the configuration file are described as below:
keystoreFile: location of the certificate file. You can specify an absolute path or a path relative to the (Tomcat
installation directory) environment variable. If this parameter is not set, Tomcat reads the file named ".keystore"
from the user directory of the current OS user.
keystorePass: password in the password file, i.e., keystore password. If you have set a private key password
when applying for the certificate, enter the private key password; otherwise, enter the password in the
keystorePass.txt file in the cloud.tencent.com_tomcat folder.
clientAuth: If it is set to true, Tomcat requires all SSL clients to provide a security certificate for identity verification.
7. Confirm whether the Tomcat server is started.

If the Tomcat server is already started, you need to run the following commands in sequence in the
/usr/*/bin directory to shut down and restart it.
./shutdown.sh (Shut down the Tomcat server)

./startup.sh (Start the Tomcat server)
If the Tomcat server is not started, you need to run the following command in the /usr/*/bin directory to start
it.
./startup.sh
8. If the server is started successfully, you can access it through https://cloud.tencent.com .

1. Edit the web.xml file in the /usr/*/conf directory and find the <\/welcome-file-list> tag.
2. Insert a new line after <\/welcome-file-list> and add the following:
<login-config>
<auth-method>CLIENT-CERTauth-method>
<realm-name>Client Cert Users-only Arearealm-name>
login-config>
<security-constraint>
<web-resource-collection >
<web-resource-name >SSLweb-resource-name>
<url-pattern>/*url-pattern>
web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIALtransport-guarantee>
user-data-constraint>
security-constraint>
3. Edit the server.xml file in the /usr/*/conf directory by changing the redirectPort parameter to
the port of the SSL connector, i.e., port 443, as shown below:
port="80" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="443" />
Note ：
This change allows a non-SSL connector to redirect to an SSL connector.
4. Shut down the Tomcat server by running the following command in the /usr/*/bin directory:
./shutdown.sh
5. Run the following command to confirm whether there is a problem with the configuration:

./configtest.sh

If no, proceed to the next step.
6. Run the following command to start the Tomcat server. In this way, you can access it through
http://cloud.tencent.com .
./startup.sh

Installing an SSL Certificate on a GlassFish

Server
：
Last updated 2022-03-01 11:05:18
Overview
This document describes how to install an SSL certificate on a GlassFish server.
Note ：
GlassFish 4.0 is used as an example.
Before you install an SSL certificate, enable port 443 on the GlassFish server so that HTTPS can be
enabled after the certificate is installed. For more information, see How Do I Enable Port 443 for a VM?
Prerequisites
website.
website.
The GlassFish service has been installed and configured on the current server.
Name Remarks
Note ：

If you have selected the Paste CSR method when applying for the SSL certificate, or your certificate brand
is Wotrus, the option to download the Tomcat certificate file is not provided. Instead, you need to manually
convert the format to generate a keystore as follows:
The GlassFish service is installed in the /usr/share directory.
Directions
2. In the pop-up window, select Apache and JKS for the server type, click Download, and decompress the
After decompression, you can get the certificate files of the corresponding types, which include the
cloud.tencent.com_apache and cloud.tencent.com_jks folders.
CSR file: cloud.tencent.com.csr
Note ：
3. Remotely log in to the GlassFish server. For example, you can use PuTTY for remote login.
4. Go to the /usr/share/glassfish4/glassfish/bin directory, run the ./asadmin command, and

then run the change-master-password --savemasterpassword=true domain1 command to change
the domain administrator password.

Note ：
The default installation directory of the domain1 service is
/usr/share/glassfish4/glassfish/domains . Change the domain name after you execute
the change-master-password --savemasterpassword=true domain1 command.
The default password is changeit. Press Enter and enter the new password, which should be the
private key password you set when applying for the certificate.
If you haven’t set a private key password when applying for the certificate, enter the password of the
keystorePass.txt file in the cloud.tencent.com_jks folder.
5. In the /usr/share directory, run the mkdir temp command to create the temp folder.
6. Use WinSCP (a tool for copying files between a local computer and a remote computer) to log in to the GlassFish
server, and then copy the certificate file cloud.tencent.com.crt and the private key file
cloud.tencent.com.key from the local directory to the temp folder.
7. In the temp folder, run the following command to generate the PKCS12 file. When the system prompts you for a
password during the process, enter the new password, which is the private key password.
openssl pkcs12 -export -in cloud.tencent.com.crt -inkey cloud.tencent.com.key -

out mycert.p12 -name s1as
8. In the temp folder, run the ls -l command to check whether the PKCS12 file contains the certificate you
applied for.
9. In the temp folder, run the following command to generate the keystore.jks .
keytool -importkeystore -destkeystore keystore.jks -srckeystore mycert.p12 -src

storetype PKCS12 -alias s1as
0. In the temp folder, run the following command to generate the cacert.jks file. When the system prompts
you for a password during this process, enter the new password, which is the private key password.
keytool -importcert -trustcacerts -destkeystore cacerts.jks -file cloud.tencent

.com.crt -alias s1as

If the system asks whether to trust the certificate, enter yes as shown in the following figure.
11. Replace the keystore.jks and cacert.jks files in the domain1/config directory with the files
generated in steps 9 and 10.
12. In the /usr/share/glassfish4/glassfish/domains/domain1/config directory, change the port
numbers in the domain.xml file.
<network-listeners>
<network-listener port="80" protocol="http-listener-1" transport="tcp" name="http
-listener-1" thread-pool="http-thread-pool">network-listener>
<network-listener port="443" protocol="http-listener-2" transport="tcp" name="htt
p-listener-2" thread-pool="http-thread-pool">network-listener>
<network-listener port="4848" protocol="admin-listener" transport="tcp" name="adm
in-listener" thread-pool="admin-thread-pool">network-listener>
network-listeners>
3. Start the GlassFish server and then you can access the cloud.tencent.com website over the HTTPS
protocol.
Note ：

Installing an SSL Certificate on a JBoss

Server
：
Last updated 2022-02-10 14:27:26
Overview
This document describes how to install an SSL certificate on a JBoss server.
Note ：
JBoss 7.1.1 is used as an example.
Before you install an SSL certificate, enable port 443 on the JBoss server so that HTTPS can be enabled
CVMs.
Prerequisites
website.
website.
The JBoss service has been installed and configured on the current server.
Name Remarks

Note ：
If you have selected the Paste CSR method when applying for the SSL certificate, or your certificate brand is
Wotrus, the option to download the JKS certificate file is not provided. Instead, you need to manually convert the
format to generate a keystore as follows:
The JBoss service is installed in the /usr/local directory.
Directions
3. Remotely log in to the JBoss server. For example, you can use PuTTY for remote login.
4. In the /usr/local/jboss-7.1.1/standalone/configuration directory, run the mkdir cert
command to create the cert folder.
5. Use WinSCP (a tool for copying files between a local computer and a remote computer) to log in to the JBoss
server and copy the keystore file cloud.tencent.com.jks from the local directory to the cert folder.
6. In the /usr/local/jboss-7.1.1/standalone/configuration directory, change the port configuration
and add certificate configuration in the standalone.xml file.
Part 1:
<interfaces>
<interface name="management">
<inet-address value="${jboss.bind.address.management:127.0.0.1}"/>
</interface>



<interface name="public">
<inet-address value="${jboss.bind.address:0.0.0.0}"/>
</interface>
<interface name="unsecure">
<inet-address value="${jboss.bind.address.unsecure:127.0.0.1}"/>
</interface>
</interfaces>
<socket-binding-group name="standard-sockets" default-interface="public" port
-offset="${jboss.socket.binding.port-offset:0}">
<socket-binding name="management-native" interface="management" port="${jbos
s.management.native.port:9999}"/>
<socket-binding name="management-http" interface="management" port="${jboss.m
anagement.http.port:9990}"/>
<socket-binding name="management-https" interface="management" port="${jboss.
management.https.port:9443}"/>
<socket-binding name="ajp" port="8009"/>

<socket-binding name="http" port="80"/>

<socket-binding name="https" port="443"/>
<socket-binding name="osgi-http" interface="management" port="8090"/>
<socket-binding name="remoting" port="4447"/>
<socket-binding name="txn-recovery-environment" port="4712"/>
<socket-binding name="txn-status-manager" port="4713"/>
<outbound-socket-binding name="mail-smtp">
<remote-destination host="localhost" port="25"/>
</outbound-socket-binding>
</socket-binding-group>
Changes required are as follows:

Enabling remote access: change ${jboss.bind.address:127.0.0.1} to
${jboss.bind.address:0.0.0.0} .
Changing the HTTP port: change port 8080 to 80.
Changing the HTTPS port: change port 8443 to 443.
Part 2: adding certificate configuration
<subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-h

ost" native="false">
<connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="htt
p"/>
<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="ht
tps" secure="true">
<ssl name="https" password="******" certificate-key-file="../standalone/confi
guration/cert/cloud.tencent.com.jks" cipher-suite="TLS_RSA_WITH_AES_256_CBC_S
HA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,SSL_RSA_

WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES
_EDE_CBC_SHA" protocol="TLSv1,TLSv1.1,TLSv1.2"/>
</connector>
<virtual-server name="default-host" enable-welcome-root="true">
<alias name="localhost"/>
<alias name="example.com"/>
</virtual-server>
</subsystem>
7. Go to the /usr/local/jboss-7.1.1/bin directory and run the ./standalone.sh command to start

the JBoss server.
8. The certificate is deployed and you can access the server through https://cloud.tencent.com .
Note ：

Installing an SSL Certificate on a Jetty Server

：
Last updated 2022-02-10 14:27:26
Overview
This document describes how to install an SSL certificate on a Jetty server.
Note ：
Jetty 9.4.28.v20200408 is used as an example.
Before you install an SSL certificate, enable port 443 on the Jetty server so that HTTPS can be enabled
CVMs.
Prerequisites
website.
website.
The Jetty service has been installed and configured on the current server.
Name Remarks
Note ：

If you have selected the Paste CSR method when applying for the SSL certificate, or your certificate brand is
Wotrus, the option to download the JKS certificate file is not provided. Instead, you need to manually convert the
format to generate a keystore as follows:
The Jetty service is installed in the /usr/local/jetty directory.
Directions
3. Remotely log in to the Jetty server. For example, you can use PuTTY for remote login.
4. In the /usr/local/jetty/jetty-distribution-9.4.28.v20200408/etc directory, run the mkdir
cert command to create the cert folder.
5. Use WinSCP (a tool for copying files between a local computer and a remote computer) to log in to the Jetty server
and copy the keystore file cloud.tencent.com.jks from the local directory to the cert folder.
6. In the /usr/local/jetty/jetty-distribution-9.4.28.v20200408/etc directory, modify the
configuration in the jetty-ssl-context.xml file.
Note ：
KeyStorePath: set the default value to the path of the certificate file.
KeyStorePassword: set the default value to the keystore password. If you have set a private key
password when applying for the certificate, enter the private key password; otherwise, enter the password
in the keystorePass.txt file in the cloud.tencent.com_jks folder.

KeyManagerPassword: set the value to the password in the keystorePass.txt file in the
TrustStorePath: set the default value to the certificate file path.
<?xml version="1.0"?><!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "htt

p://www.eclipse.org/jetty/configure_9_3.dtd">


<Configure id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextF
actory$Server">
<Set name="Provider"><Property name="jetty.sslContext.provider"/></Set>
<Set name="KeyStorePath"><Property name="jetty.base" default="." />/<Property n
ame="jetty.sslContext.keyStorePath" deprecated="jetty.keystore" default="etc/ce
rt/cloud.tencent.com.jks"/></Set>
<Set name="KeyStorePassword"><Property name="jetty.sslContext.keyStorePassword"
deprecated="jetty.keystore.password" default="4d5jtdq238j1l"/></Set>
<Set name="KeyStoreType"><Property name="jetty.sslContext.keyStoreType" default
="JKS"/></Set>
<Set name="KeyStoreProvider"><Property name="jetty.sslContext.keyStoreProvide
r"/></Set>
<Set name="KeyManagerPassword"><Property name="jetty.sslContext.keyManagerPassw
ord" deprecated="jetty.keymanager.password" default="4d5jtdq238j1l"/></Set>
<Set name="TrustStorePath"><Property name="jetty.base" default="." />/<Property
name="jetty.sslContext.trustStorePath" deprecated="jetty.truststore" default="e
tc/cert/cloud.tencent.com.jks"/></Set>
<Set name="TrustStorePassword"><Property name="jetty.sslContext.trustStorePassw
ord" deprecated="jetty.truststore.password"/></Set>
<Set name="TrustStoreType"><Property name="jetty.sslContext.trustStoreType"/></
Set>
<Set name="TrustStoreProvider"><Property name="jetty.sslContext.trustStoreProvi
der"/></Set>
<Set name="EndpointIdentificationAlgorithm"><Property name="jetty.sslContext.en
dpointIdentificationAlgorithm"/></Set>
<Set name="NeedClientAuth"><Property name="jetty.sslContext.needClientAuth" dep
recated="jetty.ssl.needClientAuth" default="false"/></Set>
<Set name="WantClientAuth"><Property name="jetty.sslContext.wantClientAuth" dep
recated="jetty.ssl.wantClientAuth" default="false"/></Set>

<Set name="useCipherSuitesOrder"><Property name="jetty.sslContext.useCipherSuit

esOrder" default="true"/></Set>
<Set name="sslSessionCacheSize"><Property name="jetty.sslContext.sslSessionCach
eSize" default="-1"/></Set>
<Set name="sslSessionTimeout"><Property name="jetty.sslContext.sslSessionTimeou
t" default="-1"/></Set>
<Set name="RenegotiationAllowed"><Property name="jetty.sslContext.renegotiation
Allowed" default="true"/></Set>
<Set name="RenegotiationLimit"><Property name="jetty.sslContext.renegotiationLi
mit" default="5"/></Set>
<Set name="SniRequired"><Property name="jetty.sslContext.sniRequired" default
="false"/></Set>

</Configure>
7. In the /usr/local/jetty/jetty-distribution-9.4.28.v20200408/etc directory, change the port

number to 443 in the jetty-ssl.xml file.
<Call name="addConnector">
<Arg>
<New id="sslConnector" class="org.eclipse.jetty.server.ServerConnector">
<Arg name="server"><Ref refid="Server" /></Arg>
<Arg name="acceptors" type="int"><Property name="jetty.ssl.acceptors" deprecate
d="ssl.acceptors" default="-1"/></Arg>
<Arg name="selectors" type="int"><Property name="jetty.ssl.selectors" deprecate

d="ssl.selectors" default="-1"/></Arg>
<Arg name="factories">
<Array type="org.eclipse.jetty.server.ConnectionFactory">

</Array>
</Arg>
<Set name="host"><Property name="jetty.ssl.host" deprecated="jetty.host" /></Se
t>
<Set name="port"><Property name="jetty.ssl.port" deprecated="ssl.port" default
="443" /></Set>
<Set name="idleTimeout"><Property name="jetty.ssl.idleTimeout" deprecated="ssl.
timeout" default="30000"/></Set>
<Set name="acceptorPriorityDelta"><Property name="jetty.ssl.acceptorPriorityDel
ta" deprecated="ssl.acceptorPriorityDelta" default="0"/></Set>
<Set name="acceptQueueSize"><Property name="jetty.ssl.acceptQueueSize" deprecat
ed="ssl.acceptQueueSize" default="0"/></Set>
<Get name="SelectorManager">
<Set name="connectTimeout"><Property name="jetty.ssl.connectTimeout" default="1
5000"/></Set>
</Get>
</New>
</Arg>
</Call>
8. In the /usr/local/jetty/jetty-distribution-9.4.28.v20200408 directory, add the following

content to the start.ini file:
etc/jetty-ssl.xml
etc/jetty-ssl-context.xml
etc/jetty-https.xml
9. In the Jetty root directory, run the java -jar start.jar command to start the Jetty server and then you can
access it through https://cloud.tencent.com .
Notes
After the certificate is deployed, the following error message may be displayed when you access
https://cloud.tencent.com :

If the error message is displayed, copy the ROOT file from the /usr/local/jetty/jetty-distribution-
9.4.28.v20200408/demo-base/webapps directory to the /usr/local/jetty/jetty-distribution-
9.4.28.v20200408/webapps directory, and then restart the Jetty server.
Note ：


：
Last updated 2022-04-06 14:44:09
Scenarios
This document describes how to install an SSL certificate on an IIS server.
Note ：
This document uses the certificate name cloud.tencent.com as an example. For your purposes,
please use the name used in your certificate.
This document takes Windows Server 2012 R2 as an example. The detailed steps may vary slightly
depending on the operating system.
Before you install an SSL certificate, enable port 443 on the IIS server so that HTTPS can be enabled after
the certificate is installed. For more information, see How do I enable port 443 for a server?.
To upload a SSL certificate to CVMs, see Copying Local Files to CVMs.
Directions
Certificate installation
1. Download the certificate package for the domain name cloud.tencent.com from the SSL Certificate Service
Console and decompress it to a local directory.
After decompression, you can get the certificate files of the relevant types, including the IIS folder and CSR file:
Folder name: IIS

Folder content:
cloud.tencent.com.pfx : certificate file
keystorePass.txt : password file (If a private key password is set, there is no keystorePass.txt .)
CSR file content: cloud.tencent.com.csr file
Note ：
The CSR file is uploaded by you or generated online by the system when you apply for the certificate and is
provided to the CA. It is not relevant to installation.

2. Open the IIS Manager, select the computer name, and double-click Server Certificates to open it, as shown in the
following figure.
3. In the Actions column to the right of the Server Certificates window, click Import, as shown in the following
figure.
4. In the Import Certificate pop-up window, select the path where the certificate file is stored, enter the password,
and click OK, as shown in the following figure.

Note ：
If you set a private key password when applying for the certificate, enter the private key password;
otherwise, enter the password in the keystorePass.txt file in the IIS folder.
If you forgot the private key password, please submit a ticket to ask Tencent Cloud engineers to delete
the certificate. You need to re-apply for the domain name certificate.
5. Select the name of a site under Sites and click Site Bindings in the Actions column on the right, as shown in the
following figure.

6. In the Site Bindings pop-up window, click Add, as shown in the following figure.
7. In the Add Site Binding window, set the site type to https, the port to 443, and the host name to the domain name
corresponding to the certificate, specify the corresponding SSL certificate, and click OK, as shown in the following
figure.

8. Once you made the addition, the new content will be available to view in the Site Bindings window, as shown in
the following figure.
9. Access https://cloud.tencent.com .
(Optional) Security configuration for automatic redirect from HTTP to HTTPS
Note ：
For normal redirect, edit the rule according to the following steps. If you have other needs, you can configure
as needed.
During the redirect from HTTP to HTTPS, if your website element contains external links or uses HTTP
protocol, it will cause the entire web page to not be completely based on HTTPS protocol. In this case, some
browsers may issue security warnings such as "this link is insecure". You can view the reason for the error
by clicking Details on message page.
1. Open the IIS Manager.

2. Select a site name under Sites, and double-click URL Rewrite, as shown in the following figure.
Note ：
Download and install the URL Rewrite module before proceeding to the following steps.

3. On the URL Rewrite page, click Add Rule(s) in the Actions column on the right, as shown in the following figure.
4. In the Add Rule(s) pop-up window, select Blank rule and click OK, as shown in the following figure.

5. Go to the Edit Inbound Rules page, as shown in the following figure.

Name: enter forced HTTPS.

Matching URL: enter (.*) in the Pattern text box.
Conditions: click to expand and click Add to pop up the Add Condition window.
Condition input: {HTTPS} .

Check if input string: select Matches the Pattern by default.

Pattern: enter ^OFF$ .
Action: enter the following parameters.
Action Type: select Redirect.
Redirect URL: https://{HTTP_HOST}/{R:1} .
Redirect Type: select See Other (303).
6. Click Apply in the Actions column to save the settings.

7. Return to the Sites page and click Restart in the Manage Website column on the right. Then, the website can be
accessed using http://cloud.tencent.com .
Note ：
If you experience any issues with the steps outlined above, please contact us.


：
Last updated 2022-04-06 14:35:31
Overview
This document describes how to install an SSL certificate on a WebLogic server.
Note ：
The example certificate name used in this document is cloud.tencent.com . Please use the actual
name of the certificate applied to your environment.
The example WebLogic version used in this document is 14.1.1.
The example operating system used in this document is Windows Server 2012 R2. The operational steps
may vary slightly depending on the operating system.
Before installing an Weblogic certificate, enable port 443 on the WebLogic server so that HTTPS can be
enabled after the certificate is installed. For more information, see How do I Enable Port 443 for a VM?.
For details about how to upload SSL certificate files to a server, see Copying Local Files to CVMs.
Directions
Note ：
The directories mentioned in the following steps are the directories of the test environment. Determine their
specific paths based on your actual environment and needs.
1. Download the certificate package for the domain name cloud.tencent.com from the SSL Certificate Service
console and decompress it to a local directory.
After decompression, you can obtain the certificate files of the relevant types, including the Tomcat folder and
the CSR file:
Folder name: Tomcat

Folder content:
cloud.tencent.com.jks : certificate file

CSR file content: cloud.tencent.com.csr file
Note ：
The CSR file is uploaded by you or generated online by the system when you apply for the certificate and is
provided to the CA. It is irrelevant to the installation.
If you selected Paste CSR when applying for the SSL certificate or purchased the SSL certificate from
Wotrus, the option to download the Tomcat certificate file is not provided. Instead, you need to manually
convert the format to generate a keystore by using the conversion tool.
If the Tomcat certificate file is not provided, upload the certificate and private key files in the Nginx folder
to the conversion tool, enter the keystore password, and click Submit to convert the certificate to a .jks
certificate.
2. Log in to the server and create a folder. For example, temp in the C drive.
3. Decompress the certificate and password files and upload them to the temp folder.
4. Log in to the WebLogic Server Administration Console (default address:
http://localhost:7001/console ) by entering your username and password.
5. Choose Domain Configurations -> Servers.

6. On the Summary of Deployments page, select a target server such as AdminiServer .
7. On the configuration management page for AdminiServer , select SSL Listening Port Enabled, set SSL
Listening Port to 443 , and click Save.
8. On the configuration management page for AdminiServer , click the Keystores tab, set the parameters, and
click Save.

Set the parameters as follows:
Keystores: select Custom Identity and Java Standard Trust.

Custom Identity Keystore: enter the path to your JKS certificate file. For example,
C:\temp\cloud.tencent.com.jks .
Custom Identity Keystore Type: enter JKS .
Custom Identity Keystore Passphrase: enter your JKS password.
Confirm Custom Identity Keystore Passphrase: re-enter your JKS password.
Note ：
Custom Identity Keystore Passphrase and Confirm Custom Identity Keystore Passphrase are left
empty by default and can be set to your JKS password. The settings of these 2 parameters do not affect the
use of your certificate.
9. On the configuration management page for AdminiServer , click the SSL tab, set the parameters, and click
Save.

Set the parameters as follows:
Identity and Trust Locations: set it to KEYSTORES .

Private Key Alias: enter the JKS alias.
Private Key Passphrase: if you set a private password when applying for a certificate, enter the private password.
Otherwise, leave this parameter empty.
Confirm Private Key Passphrase: re-enter the private password.
Note ：
For WebLogic 10.3.6-12c, select JSSE in the advanced settings area on the SSL settings page.
WebLogic versions earlier than 10.3.6 do not support SHA2 certificates. Please upgrade and try again.
0. Click Save after modifying the necessary information. The modifications are automatically activated, eliminating the
need for restart.

1. Access https://cloud.tencent.com .

Tencent-Cloud 1007 36568 en

Uploaded by

Copyright:

Available Formats

You might also like

Tencent-Cloud 1007 36568 en

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Tencent-Cloud 1007 36568 en

Uploaded by

Copyright:

Available Formats

SSL Certificate Service

SSL Certificate Service

©2013-2022 Tencent Cloud. All rights reserved. Page 1 of 59

©2013-2023 Tencent Cloud. All rights reserved.

©2013-2022 Tencent Cloud. All rights reserved. Page 2 of 59

©2013-2022 Tencent Cloud. All rights reserved. Page 3 of 59

Manually Installing a Certificate

SSL Certificate Type Server OS Certificate Installation Method

Installing a Certificate on Apache Servers

Installing a Certificate on an Nginx Server

Installing a Certificate on a Tomcat Server

Installing a Certificate on Jetty Servers

Installing a Certificate on IIS Servers

Using the Certificate Installation Service Provided by Tencent Cloud

©2013-2022 Tencent Cloud. All rights reserved. Page 4 of 59

©2013-2022 Tencent Cloud. All rights reserved. Page 5 of 59

Installation of International Standard

Username The username used to log in to the server.

Password The password used to log in to the server.

©2013-2022 Tencent Cloud. All rights reserved. Page 6 of 59

4. Copy the cloud.tencent.com_bundle.crt and cloud.tencent.com.key files from the local

©2013-2022 Tencent Cloud. All rights reserved. Page 7 of 59

If yes, reconfigure or fix the problem as prompted.

©2013-2022 Tencent Cloud. All rights reserved. Page 8 of 59

Otherwise, proceed to step 8.

9. If the server is restarted successfully, you can access it through https://cloud.tencent.com .

(Optional) Security configuration for automatic redirect from HTTP to HTTPS

To redirect HTTP requests to HTTPS, complete the following settings:

Add a JavaScript script to the page.

©2013-2022 Tencent Cloud. All rights reserved. Page 9 of 59

If yes, reconfigure or fix the problem as prompted.

4. If the server is restarted successfully, you can access it through https://cloud.tencent.com .

©2013-2022 Tencent Cloud. All rights reserved. Page 10 of 59

Installing an SSL Certificate on an Apache

Username The username used to log in to the server.

Password The password used to log in to the server.

©2013-2022 Tencent Cloud. All rights reserved. Page 11 of 59

©2013-2022 Tencent Cloud. All rights reserved. Page 12 of 59

6. In the httpd.conf configuration file under /etc/httpd/conf , find the Include

7. In the 00-ssl.conf configuration file under /etc/httpd/conf.modules.d , find the LoadModule

©2013-2022 Tencent Cloud. All rights reserved. Page 13 of 59

(Optional) security configuration for automatic redirect from HTTP to HTTPS

1. Edit the httpd.conf configuration file in the /etc/httpd/conf directory.

2. Check whether LoadModule rewrite_module modules/mod_rewrite.so is in it.

If yes, remove the comment symbol ( # ) in front of LoadModule rewrite_module

LoadModule rewrite_module modules/mod_rewrite.so

4. Add the following to the httpd.conf configuration file:

©2013-2022 Tencent Cloud. All rights reserved. Page 14 of 59

Installing an SSL Certificate on an Apache

Username The username used to log in to the server.

Password The password used to log in to the server.

©2013-2022 Tencent Cloud. All rights reserved. Page 15 of 59

3. Log in to the Apache server via the RDP port.

4. Copy the root_bundle.crt certificate file, cloud.tencent.com.crt certificate file, and

©2013-2022 Tencent Cloud. All rights reserved. Page 16 of 59

folders under the \conf directory of the Apache server, respectively.

SSL Certificate File Folder

Step 2. Configure the file

2. Insert a new line after <\/welcome-file-list> and add the following: